[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS Replication that works for me (was Re: )




Daniel Crandall wrote:
Hi,
I added that line to the replica block in the slapd.conf, and viola!
Fully encrypted update transmissions!

Thanks a lot for the info.  I've been frustrated on this for a quite a
while.

Say, I was not having any luck locating this information in various docs.
Can you tell me where you found out about that slapd.conf directive?

Many many thanks again,

Daniel


-----Original Message----- From: Daniel Crandall [mailto:dcrandal@tdhca.state.tx.us] Sent: Wednesday, May 14, 2003 10:35 AM To: 'John Beamon' Cc: openldap-software@OpenLDAP.org Subject: RE: TLS Replication that works for me (was Re: )

Hi, thanks for your reply!

I've got replication working, and I have the certificates generated.  No
problems there.
The slapd.conf details are I'm sure where I'm out in the weeds.

Specifically, I didn't know about this
tls=critical            # TLS = SSL-on-request, basically


There's a reference on "LDAP v3" at www.bayour.com/openldap/, and there's a sample "slapd.conf.txt" under that directory. I didn't have predictable results with "tls=yes", and I never found "tls=critical" commonly suggested. AFAIK, it requires that all replication attempts use TLS or fail and die. Also, I learned after much searching that TLS does not require that you specify ldaps:// in any of the replication statements or connections back to the master. Those details were the last brick for me, too. That article also sets up Kerberos ticketing for authentication and a sort of single-sign-on system.


-j